You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

My name is SNOWHITE and I will be helping you with your Malware problem.

Please follow the steps below exactly in the order they are written:

Step #11. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".Click onthis linkto see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.2. Download combofix from one of these links:Link1Link23. Double click combofix.exe & follow the prompts.4. When finished, it shall produce a log for you. Post that log in your next reply

Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Note:Combofix should never take more that 20 minutes including the reboot if malware is detected.

If it does, open task-manager > use the processes tab (press ctrl alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

If that happened we want to know, and also what process you had to end.Step #2Open HijackThis, click Config, click Misc ToolsClick "Open Uninstall Manager"Click "Save List" (generates uninstall_list.txt)Click Save, copy and paste the results in your next post.Post back with ComboFix report, uninstal list and new HijackThis report.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\temp532.exe

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.

Click the red Moveit! button.

Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.

Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Step #3

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:

Scroll down to where it says "Java Runtime Environment (JRE) 6u3...allows end-users to run Java applications".

Click the "Download" button to the right.

Read the License Agreement and then check the box that says: "Accept License Agreement".

The page will refresh.

Click on the link to download Windows Offline Installation and save the file to your desktop.

Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.

Java 2 Runtime Environment, SE v1.4.1_02

Click the Remove or Change/Remove button.

Repeat as many times as necessary to remove each Java versions.

Reboot your computer once all Java components are removed.

Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.

#OPTIONAL:Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

WildTangent Web Driver

Wild Tangent is a video game software company specializing in online games. It has even made a partnership with AOL to include itself as part of the AOL Instant Messenger for their AIM games section. The WildTangent Web Driver is their technology that allows you to play 3D games over the Internet. Although its not technically considered spyware it does have built in components to update itself and gather information about the computer system including

Operating System VersionCPU Type and SpeedMemory AmountVideo Card type and Driver VersionSound Card type and Driver VersionDirectX VersionLocation that the Web Driver was installed fromIt is also a MAJOR resource hog.

Please note any other programs that you don't recognize in that list in your next response

Step #4

- Please download ATF Cleaner by Atribune.This program is for XP and Windows 2000 only

If you are having problems with the updater, you can use this link to manually update ewido.AVG Anti-Spyware manual updates.Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

- Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.

- Double-click ATF-Cleaner.exe to run the program.Under Main choose: Select AllClick the Empty Selected button.If you use Firefox browserClick Firefox at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browserClick Opera at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.For Technical Support, double-click the e-mail address located at the bottom of each menu.

- Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

Click on Scanner on the toolbar.

Click on the Settings tab.

Under How to act?

Click on Recommended Action and choose Quarantine from the popup menu.

Under How to scan?

All checkboxes should be ticked.

Under Possibly unwanted software:

All checkboxes should be ticked.

Under Reports:

Select Automatically generate report after every scan and uncheck Only if threats were found.

Under What to scan?

Select Scan every file.

Click on the Scan tab.

Click on Complete System Scan to start the scan process.

Let the program scan the machine.

When the scan has finished, follow the instructions below.IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.

Make sure that Set all elements to: shows Quarantine(1), if not click on the link and choose Quarantine from the popup menu. (2)

At the bottom of the window click on the Apply all Actions button. (3)

yo snowhite. Please ignore my comentary on step 3. After retrying to uninstall the old java i was successfull. I also update the computer with java 6. Just to make sure we are on the same page i ran an uninstall list from HJT so u could see. The computer is working pretty good thus far. Please let me know if u want me to do anything else.

yo snowhite. Please ignore my comentary on step 3. After retrying to uninstall the old java i was successfull. I also update the computer with java 6. Just to make sure we are on the same page i ran an uninstall list from HJT so u could see. The computer is working pretty good thus far. Please let me know if u want me to do anything else.

It is good that you installed the latest java update, but i still see the older one in your uninstall list. We will deal with it later. Now follow the instructions in my previous post for running scan with Panda ActiveScan and post back with the report also with new HijackThis log.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\Linz\Desktop\SurfYa.com.lnk
C:\WINDOWS\Downloaded Program Files\OSD149F.OSD

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.

Click the red Moveit! button.

Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.

Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Step #2

We are going to try different approach to remove your old java.

Click on this link http://java.sun.com/products/archive/ at the page scroll down where it says J2SDK/J2RE - 1.4, now you need to find the right version of java in the box next to J2SDK/J2RE - 1.4. The version you need is 1.4.1_02 look at the screen shot:

When you find the right version, click on it so it can be selected and click on the Go button, on the next page you will see something like this:

Click on the Download button under JRE, on the next page you need to accept the Accept License Agreement:

Click on the link where it says Windows (all languages, including English), the file should be j2re-1_4_1_02-windows-i586-i.exe install it then reboot, go to Add/Remove Programs, uninstall Java 2 Runtime Environment, SE v1.4.1_02, reboot again.

When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

What DSS will do:

create a new System Restore point in Windows XP and Vista.

clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.

check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

Event Record #/Type6190 / WarningEvent Submitted/Written: 12/08/2007 02:40:17 AMEvent ID/Source: 36 / W32TimeEvent Description:The time service has not been able to synchronize the system timefor 49152 seconds because none of the time providers has been able toprovide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type6171 / ErrorEvent Submitted/Written: 12/07/2007 01:01:12 PMEvent ID/Source: 7000 / Service Control ManagerEvent Description:The mrtRate service failed to start due to the following error: %%2

-- End of Deckard's System Scanner: finished at 2007-12-09 02:13:48 ------------

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Save this as "CFScript"

Refering to the picture above, drag CFScript into ComboFix.exe

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Step #2

Run this scan as well:

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:

Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.

Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.

Once the short scan has finished, Click Options > Change settings

Choose the "Scan tab" and UNcheck "Heuristic analysis"

Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)

Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.

When done, a message will be displayed at the bottom advising if any viruses were found.

Click "Yes to all" if it asks if you want to cure/move the file.

When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)

Important!Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Step #3

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

[/list]If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

2. Still get the same error message.

I was hoping it will go away finally. Disappointing I will see what else can be done and let you know in my next response.

Please post back with Combofix report, DrWeb report, and new HijackThis log.